Introduction to Penetration Testing:

Penetration Testing - Process Street

This Process Street penetration testing checklist is engineered to give a documentation process for staff carrying out penetration testing on either their own networks and services or those of a client.

Penetration testing is a method of locating vulnerabilities of information systems by playing the character of a cracker. The goal of the tester is to enter into a system and then burrow in as deep as possible. The deeper the tester can embed themselves and the more permanent their access can be, the more damage they can cause. A thorough pen-test aims to reveal these weaknesses so they can be closed as quickly as possible without having a real cracker expose them.

This Process Street template aims to follow a standard pen-testing process, however, if there are further steps you wish to add or remove you are free to do so. You can simply add this template to your account and click to edit the template. The template is fully editable in order to meet the specific needs of your company.

Throughout the template you will notice form fields where you can enter information as you run the checklist. All data entered into these form fields is stored in the template overview tab in a spreadsheet format. This data can then be exported as a CSV if you wish to keep an internal backup. You can add or remove form fields from the process in order to change the kind of data you're collecting.

If you want to hear a little more about penetration testing, check out the video below:

What is Penetration Testing?

Record the details of the test

Use the form fields provided to record the details of the checklist.

Name of the person undertaking the testing

Define the scope of the test

Enter the date the test will commence

List the testing methods

Use the form field below to outline the different methods to be employed during this test.

This will help to define what has been tested and what wasn't.

For an in-depth analysis of the different methods available, watch the video below.

Outline the methods to be employed

Top Methods Pen Testers Use - SANS Pen Test Training

Gather network and domain names

Use the form field below to record the different networks and domain names relevant to your exploration.

Networks and domain names

Run a static analysis

A static analysis uses a program to perform a non-runtime assessment of a program's code.

This provides an initial non-hands-on approach to find vulnerabilities when starting your research.

Record your notes on the static analysis below or watch the video for inspiration.

Notes on static analysis

Windows App Static Analysis

Run a dynamic analysis

A dynamic analysis is similar to a static analysis except it takes place while the program is running.

A dynamic test will monitor system memory, functional behavior, response time, and overall performance of the system.

Though static analysis is in ways a more thorough approach, dynamic analysis is capable of exposing a subtle flaw or vulnerability too complicated for static analysis alone to reveal and can also be the more expedient method of testing.

Use the form field below to record your notes.

Notes on dynamic analysis

Attempt to uncover the target's vulnerabilities

Whether you find vulnerabilities through your phishing approaches or within your static or dynamic approaches, the first step is to document these potential avenues to exploit.

These weaknesses will have to be addressed in future. Record them now even if they do not lead to a major security breach as the test continues.

Vulnerabilities found

Assess how much immediate damage can be caused

At this step, begin to try to exploit these weaknesses to see what information can be gleaned.

Use the form field below to record notes on what can or cannot be accessed at this moment in time.

Summarize the potential damage which could be caused

Try to maintain persistent access

Another key area to test is how embedded you can become within the network.

Are you able to establish long term access?

Are you able to retain access unnoticed?

Use the form field below to record your attempts at long term exploitation.

Notes on persistent access

Compile the penetration test report

Once you have completed your penetration testing, compile your full report and upload it in the form field below.

Penetration test final report

Send the penetration test report

Use the email widget below to send this report to the relevant people.

You can use the variables options to enter information into the email automatically.